Singapore unveils new guidelines for FSI outsourcing, cloud

Monetary Authority of Singapore introduces a section on cloud computing services in its outsourcing guidelines for financial institutions as well as removes the need for pre-notification on such arrangements.

Singapore has introduced new guidelines for financial institutions that outsource risk management as well as deploy cloud computing services.

The updated outsourcing guidelines were established following "extensive" industry and public consultation and aimed to encourage "prudent risk management practices", the Monetary Authority of Singapore (MAS) said in a statement.

Key changes included a new section on cloud computing that detailed the regulator's views on such deployment as well as the removal of expectations for financial institutions to pre-notify MAS of material outsourcing agreements. The regulator also revised its definition of such arrangements, under certain circumstances, to include those that involved customer data.

Such outsourcing arrangements would include services, where a system failure or security breach could impact business operations or reputation as well as their ability to manage risk and compliance with local laws. These also included arrangements that involved customer information that might have material impact on the institution's customers should there be loss or theft, or unauthorised access or disclosure of the data.

MAS added that customer information, in its general definition, would not include encrypted customer data, but only if the identities of customers could not be readily inferred from the encrypted data.

The new section on cloud services underscored the need for financial institutions to carry out the necessary due diligence as well as governance and risk management practices highlighted in the guidelines.

"Institutions should be aware of cloud services' typical characteristics such as multi-tenancy, data commingling, and the higher propensity for processing to be carried out in multiple locations," MAS noted. "Hence, institutions should take active steps to address the risks associated with data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance, and auditing."

"In particular, institutions should ensure that the service provider possesses the ability to clearly identify and segregate customer data using strong physical or logical controls. The service provider should have in place robust access controls to protect customer information and such access controls should survive the tenure of the contract of the cloud service."

MAS added that financial institutions, ultimately, would be "responsible and accountable" for maintaining oversight of cloud services as well as its the associated risks of adopting such services as part of their outsourcing agreements.

"A risk-based approach should be taken by institutions to ensure the level of oversight and controls are commensurate with the materiality of the risks posed by the cloud service," it added.

Under the revised guidelines, effective immediately, institutions also would not need to inform the authority before making any material outsourcing commitment, but were expected to observe "appropriate due diligence" in establishing such agreements. They also should still be able to submit outsourcing registers to MAS at least once a year or when requested to do so.

Deputy managing director Ong Chong Tee said: "The new outsourcing guidelines reflect MAS' continuing efforts to strengthen our guidance to financial institutions in this area. The revised guidelines build on the existing ones to better capture evolving threats such as offshoring business models and heightened cyber risks."